My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


October 2015 mobile malware review from Doctor Web

October 30, 2015


  • Detection of a dangerous Trojan targeting iOS devices
  • Detection of yet another malicious program on Google Play
  • New cases of Android firmware being infected with malicious applications
  • Emergence of new banking Trojans

Number of entries for malicious and unwanted software targeting Android OS in Dr.Web virus database

September 2015October 2015Dynamics

Mobile threat of the month

At the beginning of October, security researchers detected a new Trojan targeting iOS. The program, dubbed IPhoneOS.Trojan.YiSpecter.2, was distributed as a harmless application mainly among users in China. In particular, if the user visited a website with adult content to view some videos, they were prompted to install a special video player that, although it had all the necessary features to play those videos, contained a Trojan. To spread this malicious program, cybercriminals employed a corporate software distribution method that allows iOS devices' owners to get applications from sources other than the App Store—at that, IPhoneOS.Trojan.YiSpecter.2 got installed on all smartphones and tablets regardless of whether they were “jailbroken” or not.

#drweb #drweb #drweb

IPhoneOS.Trojan.YiSpecter.2 has the following features:

Trojans on Google Play

In October, security researchers detected yet another Trojan on Google Play. The Trojan, dubbed as Android.PWS.3, was disguised as an audio player that enabled Vkontakte (“ВКонтакте”) users to listen to audio content. Once launched, Android.PWS.3 prompted the potential victim to log in to their Vkontakte account displaying an appropriate authorization form. Once the user entered their login and password, the Trojan forwarded that information to cybercriminals. Moreover, after a connection to the command and control server was established, the Trojan received a list of Vkontakte groups where it automatically added users of compromised devices promoting the communities.

#drweb #drweb #drweb

Firmware Trojans

Almost every month Doctor Web security researchers register new cases of Android firmware being infected with malicious applications—the second autumn month did not become an exception. This time, several mobile devices had a preinstalled malicious program dubbed Android.Cooee.1. The malware is incorporated in a launching application (Android graphical shell) and contains a number of special modules responsible for showing advertisements. Moreover, the malware can download and run not only additional advertising packages but also other applications, including malicious ones—in particular, Android.DownLoader.225 designed to stealthily download various programs on the compromised device.

If the user removes the launching application containing Android.Cooee.1, next time the device is turned on, the operating system will not load. Therefore, before uninstalling the malicious program, users are recommended to install some other launching application and set it as default.

Banking Trojans

In October, a large number of various banking Trojans continued to target Android devices. One of such Trojans is Android.BankBot.80.origin that was detected at the end of the month and was disguised as an official banking application of a Russian financial organization. Once Android.BankBot.80.origin is installed and run, it prompts the user to grant it administrator privileges. After the consent is given, the malware scans the user's contact list sending all numbers SMS messages that look as follows: Hi! Vote for me http://****** (“Привет, проголосуй за меня http://******”). The link from such a message leads to a fraudulent website supposedly related to some photo contest. From this website, a modification of the Trojan detected by Dr.Web as Android.SmsBot.472.origin gets downloaded to the victim's device. Moreover, the website offers owners of smartphones and tablets to install a special program for voting which is, in fact, another version of Android.BankBot.80.origin.

#drweb #drweb

The Trojan's features are as follows:

For more information about Android.BankBot.80.origin, refer to the news article published on our website.

The number of entries for banking Trojans of the Android.BankBot family in Dr.Web virus database:

September 2015October 2015Dynamics

The number of entries for multicomponent Trojans of the Android.SmsSend family in Dr.Web virus database:

September 2015October 2015Dynamics